CreateOrganization

Creates an AWS organization. The account whose user is calling the CreateOrganization
operation automatically becomes the master account of
the new organization.

This operation must be called using credentials from the account that is to become
the new
organization's master account. The principal must also have the relevant IAM
permissions.

By default (or if you set the FeatureSet parameter to ALL), the
new organization is created with all features enabled and service control policies
automatically enabled in the root. If you instead choose to create the organization
supporting
only the consolidated billing features by setting the FeatureSet parameter to
CONSOLIDATED_BILLING", then no policy types are enabled by default and you
cannot use organization policies.

Request Syntax

Request Parameters

Specifies the feature set supported by the new organization. Each feature set supports
different levels of functionality.

CONSOLIDATED_BILLING: All member accounts have their bills
consolidated to and paid by the master account. For more information, see Consolidated
billing in the AWS Organizations User Guide.

ALL: In addition to all the features supported by the
consolidated billing feature set, the master account can also apply any type of policy
to
any member account in the organization. For more information, see All
features in the AWS Organizations User Guide.

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You don't have permissions to perform the requested operation. The user or role that
is
making the request must have at least one IAM permissions policy attached that grants
the
required permissions. For more information, see Access Management in the
IAM User Guide.

HTTP Status Code: 400

AccessDeniedForDependencyException

The operation that you attempted requires you to have the
iam:CreateServiceLinkedRole
for
organizations.amazonaws.com permission so that AWS Organizations can
create the required service-linked role. You don't have that permission.

HTTP Status Code: 400

AlreadyInOrganizationException

This account is already a member of an organization. An account can belong to only
one
organization at a time.

HTTP Status Code: 400

ConcurrentModificationException

The target of the operation is currently being modified by a different request. Try
again
later.

HTTP Status Code: 400

ConstraintViolationException

Performing this operation violates a minimum or maximum value limit. For example,
attempting to removing the last service control policy (SCP) from an OU or root, inviting
or
creating too many accounts to the organization, or attaching too many policies to
an account,
OU, or root. This exception includes a reason that contains additional information
about the
violated limit.

Some of the reasons in the following list might not be applicable to this specific
API or
operation:

ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of
accounts in an organization. If you need more accounts, contactAWS Support to request an increase in your
limit.

Or the number of invitations that you tried to send would cause you to exceed the
limit of accounts in your organization. Send fewer invitations or contact AWS Support
to
request an increase in the number of accounts.

Note

Deleted and closed accounts still count toward your limit.

Important

If you get receive this exception when running a command immediately after creating
the organization, wait one hour and try again. If after an hour it continues to fail
with this error, contact AWS
Support.

HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes that
you can send in one day.

OU_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the number of OUs that you can have
in an organization.

OU_DEPTH_LIMIT_EXCEEDED: You attempted to create an OU tree that is too many levels
deep.

ORGANIZATION_NOT_IN_ALL_FEATURES_MODE: You attempted to perform an operation that
requires the organization to be configured to support all features. An organization
that
supports only consolidated billing features can't perform this operation.

POLICY_NUMBER_LIMIT_EXCEEDED. You attempted to exceed the number of policies that
you
can have in an organization.

MAX_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to exceed the number of
policies of a certain type that can be attached to an entity at one time.

MIN_POLICY_TYPE_ATTACHMENT_LIMIT_EXCEEDED: You attempted to detach a policy from an
entity that would cause the entity to have fewer than the minimum number of policies
of a
certain type required.

ACCOUNT_CREATION_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of accounts
that you can create in one day.

MASTER_ACCOUNT_ADDRESS_DOES_NOT_MATCH_MARKETPLACE: To create an account in this
organization, you first must migrate the organization's master account to the marketplace
that corresponds to the master account's address. For example, accounts with India
addresses must be associated with the AISPL marketplace. All accounts in an organization
must be associated with the same marketplace.

MASTER_ACCOUNT_MISSING_CONTACT_INFO: To complete this operation, you must first
provide contact a valid address and phone number for the master account. Then try
the
operation again.

HTTP Status Code: 400

InvalidInputException

The requested operation failed because you provided invalid values for one or more
of the
request parameters. This exception includes a reason that contains additional information
about the violated limit:

Note

Some of the reasons in the following list might not be applicable to this specific
API
or operation:

IMMUTABLE_POLICY: You specified a policy that is managed by AWS and can't be
modified.

INPUT_REQUIRED: You must include a value for all required parameters.

INVALID_ENUM: You specified a value that isn't valid for that parameter.

INVALID_FULL_NAME_TARGET: You specified a full name that contains invalid
characters.

INVALID_LIST_MEMBER: You provided a list to a parameter that contains at least one
invalid value.

INVALID_PARTY_TYPE_TARGET: You specified the wrong type of entity (account,
organization, or email) as a party.

INVALID_PAGINATION_TOKEN: Get the value for the NextToken parameter from
the response to a previous call of the operation.

INVALID_PATTERN: You provided a value that doesn't match the required pattern.

INVALID_PATTERN_TARGET_ID: You specified a policy target ID that doesn't match the
required pattern.

INVALID_ROLE_NAME: You provided a role name that isn't valid. A role name can't begin
with the reserved prefix AWSServiceRoleFor.

INVALID_SYNTAX_ORGANIZATION_ARN: You specified an invalid Amazon Resource Name (ARN)
for the organization.

INVALID_SYNTAX_POLICY_ID: You specified an invalid policy ID.

MAX_FILTER_LIMIT_EXCEEDED: You can specify only one filter parameter for the
operation.

MAX_LENGTH_EXCEEDED: You provided a string parameter that is longer than
allowed.

MAX_VALUE_EXCEEDED: You provided a numeric parameter that has a larger value than
allowed.

MIN_LENGTH_EXCEEDED: You provided a string parameter that is shorter than
allowed.

MIN_VALUE_EXCEEDED: You provided a numeric parameter that has a smaller value than
allowed.

MOVING_ACCOUNT_BETWEEN_DIFFERENT_ROOTS: You can move an account only between entities
in the same root.

HTTP Status Code: 400

ServiceException

AWS Organizations can't complete your request because of an internal service error.
Try again
later.

HTTP Status Code: 400

TooManyRequestsException

You've sent too many requests in too short a period of time. The limit helps protect
against denial-of-service attacks. Try again later.

Examples

Example

Diego wants to create an organization using credentials from account
111111111111. The following example shows that the account becomes the master
account in the new organization. Because he does not specify a features set, the new
organization defaults to all features enabled and service control policies are enabled
on
the root.

The output includes an organization structure that contains details about the new
organization: